The Grand Tor: How to Go Anonymous Online

You may already be familiar with TorBrowser. But the anonymous internet has a lot more to offer.

The sites you're visiting see you as emerging from a random point on the internet and thus can't trace your true IP address or your associated identity.

Aaron Fernandez

Fifteen years have passed since a couple of MIT grads and a Navy-funded researcher first built The Onion Router, or Tor, a wild experiment in granting anonymity to anyone online. Today, Tor has millions of users. The original project has been endlessly hacked on, broken, and fixed again. While imperfect, it remains the closest thing to a cloak of anonymity for internet users with a high sensitivity to surveillance, without needing serious technical chops. And it’s stronger and more versatile than ever before.

Tor protects your identity online—namely your IP address—by encrypting your traffic in at least three layers and bouncing it through a chain of three volunteer computers chosen among thousands around the world, each of which strips off just one layer of encryption before bouncing your data to the next computer. All of that makes it very difficult for anyone to trace your connection from origin to destination—not the volunteer computers relaying your information, not your internet service provider, and not the websites or online services you visit.

Earlier this month, Tor announced an update to its so-called onion services, which use Tor’s anonymizing features to hide not just individual people on the web, but servers too, allowing for so-called dark web or darknet sites and other services that can’t be physically traced to any locatable computer. Beyond merely covering your tracks as you visit websites, the new feature has opened Tor up to a new range of applications, enabling a new generation of whistleblowing platforms and new forms of untraceable messaging. Tor’s update has made those onion services less easily discovered and strengthened their encryption.

That overhaul should cement Tor’s reputation as an indispensable anonymity tool, says Marc Rogers, a security researcher for tech firm Cloudflare, who has also worked on a still-in-development Tor-based network router project himself. “It’s still pretty much the only game in town,” he says. “After this update, I can say that yes, Tor is the best privacy tool out there.”

Here's how you can use Tor today, whether you want to want to browse controversial sites in peace, or send messages the NSA can't peep.

Web Browsing

The most basic—and by far the most common—way to use Tor is to simply download, install, and run the TorBrowser from the Tor Project’s website. Like other Tor apps, it routes all its traffic over Tor, so that you're browsing the web truly incognito: The sites you're visiting see you as emerging from a random point on the internet and thus can't trace your true IP address or your associated identity.

Aside from making government or other targeted surveillance much more difficult, the TorBrowser also functions as a powerful anti-censorship tool for people in countries like Iran and China, since it hides any direct connection to domains like Google, Facebook, and Twitter that oppressive regimes often block. Be aware, however, that the final computer routing your traffic to a destination website in that three-hop system, known as an “exit node,” can see all of your activity as you connect to a website, even if it doesn’t know where that activity comes. Privacy experts warn that law enforcement, intelligence services, and malicious hackers run their own exit nodes for exactly that surveillance purpose. It's critical, then, for Tor users to only visit HTTPS-protected websites to ensure that the information that passes between the browser and the site remains encrypted.

Some popular websites have now even started to run their own Tor onion services, including Facebook and Pro Publica. That means they're essentially hosting a site on Tor's network, so that you can visit through the TorBrowser and your traffic remains encrypted all the way to its destination, with no need to trust an exit node.

Messaging

It’s easy to route not just your web browsing over Tor, but instant messaging, too. The Tor Project offers a program called Tor Messenger, which allows you to combine Tor with the chat protocols Jabber, IRC, Google Talk, and others. That means your connection to whatever server is running that chat service routes over Tor, so that the server can’t in theory identify your IP address or location.

Another app called TorChat goes a step further, allowing you to instant message using servers that themselves run as Tor onion services, which can only receive incoming connections through Tor. With that setup, who might want to compromise the messages can't locate the servers that host them. And a next-generation tool called Ricochet takes the IM implementation of Tor yet another step, cutting servers out of the picture altogether. Instead, it turns your computer (or the computer of the person you’re talking to) into an onion service, so that you can connect directly through Tor without any middleman.

A slower but more widely used and well-audited way to route communications over Tor is SecureDrop. Taking a cue from WikiLeaks and originally coded by the late internet activist Aaron Swartz, SecureDrop allows anyone to host an anonymous dropbox for sensitive information. Dozens of news organizations now use it to solicit tips and leaked documents from whistleblowers, including The New York Times, The Washington Post, The Guardian, and of course WIRED.

For larger file transfers, an application called Onion Share essentially allows anyone to turn their computer into an onion service that anyone can connect to directly to download files, just as they might from a website—but without leaving any trace of their identity.

Everything Else

Instead of trying to route any particular app over Tor, why not route all your internet data over the Tor network? That's the pitch of products like Anonabox and Invizbox, small, portable routers that run Tor and are designed to siphon every packet that leaves or enters your computer over that protected network. But those routers—particularly Anonabox—have been criticized for security flaws.

Some security experts warn against routing all your data over Tor anyway. While Tor can effectively hide your IP address, the regular course of anyone's web browsing invariably includes sharing identifying details, which could defeat the purpose of using an anonymity tool in the first place.

Better still, in those cases, is an entire Tor-based operating system called Tails, an acronym for The Amnesiac Incognito Live System. The primary benefit of Tails has more to do with security than privacy; you can run it off of a USB drive, which once removed, leaves no trace on the computer that ran it, making it virtually impossible to install malware on the user's machine. But as an added bonus, it also routes all data over Tor, adding an extra layer of anonymity. The system is secure enough that it's been listed as a trouble spot for the NSA in documents leaked by Edward Snowden—and Snowden has also said that he uses it himself to avoid surveillance by his former employer.

Fifteen years have passed since a couple of MIT grads and a Navy-funded researcher first built The Onion Router, or Tor, a wild experiment in granting anonymity to anyone online. Today, Tor has millions of users. The original project has been endlessly hacked on, broken, and fixed again. While imperfect, it remains the closest thing to a cloak of anonymity for internet users with a high sensitivity to surveillance, without needing serious technical chops. And it’s stronger and more versatile than ever before.